Flash socket policy file

If you use web-socket-ruby or em-websocket, you don't need anything special, because they handle Flash socket policy file request. But if you already provide socket policy file at port 843, you need to modify the file to allow access to Web Socket port, because it precedes what the libraries provide.

If you use other Web Socket server implementation, you need to provide socket policy file yourself. See Setting up A Flash Socket Policy File for details. Implementation of socket policy file server is available at:

Actually, it's still better to provide socket policy file at port 843 even if you use web-socket-ruby or em-websocket. Flash always try to connect to port 843 first, so providing the file at port 843 makes startup faster.

Cookie support

web-socket-js has limited supported for Cookies on WebSocket.

Cookie is sent if Web Socket host is exactly the same as the origin of JavaScript (The port can be different). Otherwise it is not sent, because I don't know way to send right Cookie (which is Cookie of the host of Web Socket, I heard). Also, HttpOnly Cookies are not sent.

Note that it's technically possible that client sends arbitrary string as Cookie and any other headers (by modifying this library for example) once you place Flash socket policy file in your server. So don't trust Cookie and other headers if you allow connection from untrusted origin.

Proxy support

The WebSocket spec specifies instructions for User Agents to support proxied connections by implementing the HTTP CONNECT method.

The AS3 Socket class doesn't implement this mechanism, which renders it useless for the scenarios where the user trying to open a socket is behind a proxy.

The class RFC2817Socket (by Christian Cantrell) effectively lets us implement this, as long as the proxy settings are known and provided by the interface that instantiates the WebSocket. As such, if you want to support proxied conncetions, you'll have to supply this information to the WebSocket constructor when Flash is being used. One way to go about it would be to ask the user for proxy settings information if the initial connection fails.

How to host HTML file and SWF file in different domains

By default, HTML file and SWF file must be in the same domain. You can follow steps below to allow hosting them in different domain.

WARNING: If you use the method below, HTML files in ANY domains can send arbitrary TCP data to your WebSocket server, regardless of configuration in Flash socket policy file. Arbitrary TCP data means that they can even fake request headers including Origin and Cookie.

How to build WebSocketMain.swf

WebSocket protocol versions

web-socket-js doesn't speak old draft versions of WebSocket protocol including hixie-76, which was supported by old version of this library. If you really need web-socket-js which speaks hixie-76, you can get it from hixie-76 branch, but the branch is no longer maintained.